Mercurial > p > roundup > code
comparison doc/rest.txt @ 7556:273c8c2b5042
fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
Failed API login rate limiting with expiring lockout added.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 19 Jul 2023 20:37:45 -0400 |
| parents | a072331c843b |
| children | 978285986b2c |
comparison
equal
deleted
inserted
replaced
| 7555:451232f83244 | 7556:273c8c2b5042 |
|---|---|
| 74 | 74 |
| 75 If you want to allow Roundup's api to be accessed by an application | 75 If you want to allow Roundup's api to be accessed by an application |
| 76 that is not hosted at the same origin as Roundup, you must permit | 76 that is not hosted at the same origin as Roundup, you must permit |
| 77 the origin using the ``allowed_api_origins`` setting in | 77 the origin using the ``allowed_api_origins`` setting in |
| 78 ``config.ini``. | 78 ``config.ini``. |
| 79 | |
| 80 Rate Limiting API Failed Logins | |
| 81 ------------------------------- | |
| 82 | |
| 83 To make brute force password guessing harder, the REST API has an | |
| 84 invalid login rate limiter. It rate limits the number of failed login | |
| 85 attempts with an invalid user or password. Valid login attempts are | |
| 86 managed by the normal API rate limiter. The rate limiter is a GCRA | |
| 87 leaky bucket variant. All APIs (REST/XMLRPC) share the same rate | |
| 88 limiter. The rate limiter for the HTML/web interface is not shared by | |
| 89 the API failed login rate limiter. | |
| 90 | |
| 91 It is configured by settings in config.ini. Setting | |
| 92 ``api_failed_login_limit`` to a non-zero value enabled the limiter. | |
| 93 Setting it to 0 disables the limiter (not suggested). If a user fails | |
| 94 to log in more than ``api_failed_login_limit`` times in | |
| 95 ``api_failed_login_interval_in_sec`` seconds, a 429 HTTP error will be | |
| 96 returned. The error also tell the user how long they must wait to try | |
| 97 to log in again. | |
| 98 | |
| 99 When a 429 error is returned, the account is locked until enough time | |
| 100 has passed | |
| 101 (``api_failed_login_interval_in_sec/api_failed_login_limit`` seconds) | |
| 102 to make one additional login token available. Any attempt to log in | |
| 103 while it is locked will fail. This is true even if a the correct | |
| 104 password is supplied for a locked account. This means a brute force | |
| 105 attempt can't try more than one password every | |
| 106 ``api_failed_login_interval_in_sec/api_failed_login_limit`` seconds on | |
| 107 average. | |
| 108 | |
| 109 The default values allow up to 4 attempts to login before delaying the | |
| 110 user by 2.5 minutes (150 seconds). At this time there is no supported | |
| 111 method to reset the rate limiter. | |
| 79 | 112 |
| 80 Rate Limiting the API | 113 Rate Limiting the API |
| 81 --------------------- | 114 --------------------- |
| 82 | 115 |
| 83 This is a work in progress. This version of roundup includes Rate | 116 This is a work in progress. This version of roundup includes Rate |